lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20071121170411.GA8511@sergelap.austin.ibm.com>
Date:	Wed, 21 Nov 2007 11:04:11 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Stephen Smalley <sds@...ho.nsa.gov>
Cc:	"Serge E. Hallyn" <serue@...ibm.com>, linux-kernel@...r.kernel.org,
	casey@...aufler-ca.com, chrisw@...s-sol.org, darwish.07@...il.com,
	jmorris@...ei.org, method@...icmethod.com, morgan@...nel.org,
	paul.moore@...com
Subject: Re: +
	smack-version-11c-simplified-mandatory-access-control-kernel.patch
	added to -mm tree

Quoting Stephen Smalley (sds@...ho.nsa.gov):
> On Wed, 2007-11-21 at 09:48 -0600, Serge E. Hallyn wrote:
> > Quoting akpm@...ux-foundation.org (akpm@...ux-foundation.org):
> > > +/*
> > > + * There are not enough CAP bits available to make this
> > > + * real, so Casey borrowed the capability that looks to
> > > + * him like it has the best balance of similarity amd
> > > + * low use.
> > > + */
> > > +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
> > 
> > Hey Casey,
> > 
> > note that 64-bit capabilities are now in -mm, so you could grab your own
> > capability.
> 
> Which brings up an interesting question - what to do with
> security-module-specific capabilities?  CAP_MAC_OVERRIDE is specific to
> Smack - other MAC modules like SELinux won't honor it.  Maybe it should
> be CAP_SMACK_OVERRIDE.

Yeah, I was thinking it would be renamed to something smack-specific.
The concept of CAP_MAC_OVERRIDE is pretty general, but then users may
for just that reason expect the capability to also let them override
selinux and other capabilities.

For instance the capabilities equivalent to a CAP_MAC_OVERRIDE would
probably be CAP_SETPCAP, since it can be used to add capabilities back
into your inheritable set.  But we wouldn't want to share one capability
for CAP_SETPCAP and CAP_SMACK_OVERRIDE.  CAP_SETPCAP does let you regain
CAP_SMACK_OVERRIDE, but a process could have CAP_SMACK_OVERRIDE but be
denied CAP_NET_ADMIN for instance, or heck even CAP_DAC_OVERRIDE.

So short answer is: I agree :)

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ